Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Inbound NAT with Multi WAN broken with 21.02?

    Scheduled Pinned Locked Moved NAT
    22 Posts 10 Posters 3.0k Views 13 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jeff.martin
      last edited by

      I am also seeing this problem, on a SG-4860 running 21.02-p1.
      Dual WAN, and NAT only works on the default WAN.

      Was hoping the hotfix would be the answer. Just installed it tonight, but it didn't fix the issue.

      -Jeff

      P 1 Reply Last reply Reply Quote 0
      • P Offline
        phatty @jeff.martin
        last edited by

        Has anyone contacted support on this? With enough people complaining in the forums I thought this would be an obvious and urgent issue to fix. I admit I haven't contacted support because my production environment required I quickly revert back to the old environment to keep things running. I figured with everything downgraded contacting support wouldn't be to useful other than to be another vote that this is a problem.

        1 Reply Last reply Reply Quote 0
        • A Offline
          AdamMarie
          last edited by

          Hello,

          It seems the community support was already contacted for this : ticket Regression 11436
          It's priority is "very high" but the ticket has not yet been assigned since 17/02/2021.
          And worse, the problem seems to begin with the 2.5 devel branch reported in december 2020 and not corrected since.

          @phatty i only have "community support" for my XG-7100 so can't contact the paid support for that problem. I've have reverted to 2.4.5p1 as well.

          I can't imagine paid support customer not to use multi WAN inbound, so maybe they got an exclusive hotfix from paid support ?

          Since this regression comes in 2.5 devel and was never corrected in devel branch, this should have been a no go for the pfSense+ 21.02 release on stable channel ...

          Adam

          1 Reply Last reply Reply Quote 0
          • N Offline
            null.oz
            last edited by

            Hi,

            We also have the problem on a 2x XG-1537 cluster. This is very problematic.

            Note that we have noticed a strange behavior with this bug. Simplified network topology :
            FW2 (WAN IP) - Port fwd -> pfSense HA - Port fwd -> Srv.

            The FW2 is our second WAN. Port forwarding from this second WAN therefore no longer works because of the bug. While performing tests with OpenVPN and netcat (in UDP only), here is what we found:

            • The first packet sent by the client reaches the server (port forwarding therefore works)
            • The return packet sent by the server reaches the client. So far so good
            • From there, all packets sent by the client arrive to the pfSense cluster (we see them with tcpdump on the link with the FW2) but they disappear silently and are never transmitted to the server
            • On the other hand, all the packets sent from the server to the client arrive to the client (which makes sense since the bug concerns port forwarding)

            Hope this bug is fixed quickly.

            1 Reply Last reply Reply Quote 1
            • N Offline
              nazgulix
              last edited by

              Hi,
              I have same problem with SG-5100 and 21.02. Tried to install 2.4 but there is no download link on Netgate website. Why no comment from Netgate about this issue? Multiple WAN isn't uncommon these days.... so it affects lots of people.
              Adam

              P 1 Reply Last reply Reply Quote 0
              • P Offline
                phatty @nazgulix
                last edited by

                @nazgulix If you contact support they will provide you a link to download 2.4 firmware.

                Also, assuming your NAT rules are focused on your primary WAN, if you set pfSense default routing to your primary WAN instead of auto things will work.

                It is really disappointing such a bug was allowed to be released on a so called stable release. I also ran into an issue with OpenVPN not liking my CA Certificate causing me to downgrade security requirements to authenticate my users for the time being.

                The band-aid of updating pfSense routing does work in my environment as I had hard coded NAT items to use my Fiber WAN vs cable modem.

                N 1 Reply Last reply Reply Quote 0
                • N Offline
                  nazgulix @phatty
                  last edited by

                  @phatty Thanks for hint with default gateway. Unfortunately I have both "primary" WANs and there are diffrent NATs on each of them. I found pendrive with 2.4 but it didn't install ( some kernel errors ), don't have time for it now. Simply put SG-5100 on shelve and install fresh 2.4 on PC with 6 NICs. And will wait for a fix from Netgate.

                  Like you said that is release called "plus" and it supposed to be stable, but for now it's pfSense plus bugs... :(

                  1 Reply Last reply Reply Quote 0
                  • A Offline
                    AdamMarie
                    last edited by

                    Hello,

                    Just a little bit of patience, the ticket for this problem is in progress and is now assigned : Regression #11436

                    Seing the target version for the correction (2.5.1) it seems there will be no "hotfix" and will probably need to wait the release of the 2.5.1 (21.03 in pf+ ? maybe 21.04 ?^^)

                    Adam

                    1 Reply Last reply Reply Quote 0
                    • A Offline
                      AdamMarie
                      last edited by

                      Hi,

                      I must say im pretty disappointed from a "professional" firewall vendor...
                      The ticket for that "problem" is not really progressing (only ppl says +1 "i got the same problem in xxx/same situation").

                      Until this regression not corrected, and given recently i have read This news (external phoronix link) i think i'll may wait pfSense to switch to FreeBSD 13.0(.1) before trying again the so called "stable" 21.02(21.XX because it's supposed to be versionned by date if im not wrong) branch on my XG-7100 firewall.
                      I suggest all that got the problem to do the same. (unless you have a "lab" and time to help the support of course ^^)
                      Adam

                      1 Reply Last reply Reply Quote 0
                      • A Offline
                        Axm
                        last edited by

                        I've been breaking my head over this..

                        Our site in france using a SG-3100 that also uses multi-wan has the same issue!

                        1 Reply Last reply Reply Quote 0
                        • M Offline
                          Michael_Kappler
                          last edited by

                          Two months later without any fix. My customers are getting more and more impatient.

                          I now have to tell them to switch to a professional supported platform as I will do now. Giving Sophos a chance now.

                          So:
                          "Goodbye Netgate" -> "Hello professional supported appliances" !!!

                          Hope for everyone staying at Netgate to get someday a fix.

                          Bye,
                          Michael

                          C 1 Reply Last reply Reply Quote 0
                          • C Offline
                            CaliPilot @Michael_Kappler
                            last edited by

                            @michael_kappler

                            https://redmine.pfsense.org/issues/11436#note-56

                            FYI

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.